Endpoint Protection

Hi,

Some of the branches of our organistion complain that the bandwith utilization is very high and is due to the updates pushed by symantec server. We have GUP in all the branches but it seems computers are directly contacting the server instead of GUP. There are only 10-20 machines in every branch. Can you please let me know the possible reason why computers are contacting directly to server instead of GUP though the GUP machine is Online.

Regards,
Anish

HI,

What is SEPM version ?

Edit..

Check this thread

https://www-secure.symantec.com/connect/forums/sep-11-not-updating-gup

Are the GUP clients updated as well?

Are the Clients properly communicating to the SEPM Server and the GUP client machines?

Are the GUP client machines updated with the Latest definitions?

Troubleshooting Articles:

Troubleshooting the Group Update Provider (GUP) in Symantec Endpoint Protection (SEP)

http://www.symantec.com/docs/TECH104539

Symantec Endpoint Protection: LiveUpdate Troubleshooting Flowchart

http://www.symantec.com/docs/TECH95790

Troubleshooting Content Delivery to the Symantec Endpoint Protection client

http://www.symantec.com/docs/TECH106034

Could you upload us the sylink.log from 1 of the client machines which are not taking the updates. Check the Article on how to pull the sylink logs

http://www.symantec.com/docs/TECH104758

Hi,

The SEPM version is 12.1.671.4971.

The GUP as well as the computers are up to date. The issues happens not everyday and not to all branches.

Regards,

Anish

Are the clients/servers in the same or different group?

Are you able to telnet 2967 to gup computer ?

Has the policy been applied?

Hi

Please check whether you checked the option for clients try to connect  to SEPM after x hours

Regards

The high traffic may be caused by frequent full downloads by the GUPs. In this case you have to increase the number of content revisions saved on the SEPM. More content versions cover a longer time line for delta files production, which dramatically reduces bandwidth utilization.

So at first I would check if the high traffic really stems from clients bypassing their GUPs.

Here is a great article by John Q. explaining how you can use the SEPM logs for this purpose:

https://www-secure.symantec.com/connect/articles/how-can-we-check-which-content-sep-121-clients-are-downloading-gup

Alternatively, you can use the SEP Content Distribution Monitor:

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

Is the GUP always on?

Hi,

That option is checked.

Regards,
Anish

Hi,

The GUP machine is always found ON when we are having this issue.

Regards,
Anish

Hello,

I agree with Greg's Suggestion above.

The more past revisions that you keep, the better the SEPM will be able to provide smaller "delta" definition updates to SEP clients that are farther out-of-date. 

If you have ample bandwidth and can handle clients that are out of date by a week or more downloading full definitions (up to 200 MB) then reduce the number of past content revisions to 20, rather than 30.

Keeping only 3 revisions means that SEP clients more than a day out of date will need the full download.  (There are, on average, 3 releases of certified SEP definitions released every weekday)

How to change the number of downloaded content revisions that are retained by the Symantec Endpoint Protection Manager versions 11.0. or 12.1

http://www.symantec.com/docs/TECH104845

Group Update Provider(GUP): Sizing and Scaling Guidelines

http://www.symantec.com/business/support/index?page=content&id=TECH95353&locale=en_US

SEP Content Distribution Monitor / GUP monitoring tool

http://www.symantec.com/business/support/index?page=content&id=TECH156558

GUP content monitoring tool video

https://www-secure.symantec.com/connect/videos/sep-content-distribution-monitor-introduction

and 

Link to download the SEP Content Distribution Monitor Utility 

https://www-secure.symantec.com/connect/downloads/sep-content-distribution-monitor

Hope that helps!!

Hi,

That article was helpful to know the content revision process.
Even if the GUP downloads full content update from SEPM due to less number of content revisions which in turn increases the bandwith utilization automatically, how does this make client computers to contact server instead of GUP ?

Regards,

Anish

Hello,

Check these Articles:

When will a client download a full definition set from a Symantec Endpoint Protection Manager or Group Update Provider?  

http://www.symantec.com/docs/TECH131528

Symantec Endpoint Protection clients download full definitions from Group Update Provider or from Symantec Endpoint Protection Manager

http://www.symantec.com/docs/TECH122612

With default LiveUpdate content revision settings configured within the Symantec Endpoint Protection Manager, clients are downloading full definition updates instead of delta updates

http://www.symantec.com/docs/TECH94916

Hello,

You can confirm the issue by enabling debug at GUP SEP client... verify whether its downloading deltas.zip or full.zip

Check the debug.log file....

Willing to try SQL?

You can run the following SQL query and it will tell you which clients try to download from GUP & which from SEPM.

SELECT [COMPUTER_ID]
      ,[HARDWARE_KEY]
      ,[HOST_NAME]
      ,[TIME_STAMP]
      ,[EVENT_ID]
      ,[EVENT_TIME]
      ,[SEVERITY]
      ,[AGENT_ID]
      ,[CATEGORY]
      ,[EVENT_SOURCE]
      ,[EVENT_DESC]
      ,[LOG_IDX]
  FROM [Antivirus_SEM5].[dbo].[AGENT_SYSTEM_LOG_1]
  WHERE [EVENT_SOURCE] = 'SYLINK'
UNION ALL
  SELECT [COMPUTER_ID]
      ,[HARDWARE_KEY]
      ,[HOST_NAME]
      ,[TIME_STAMP]
      ,[EVENT_ID]
      ,[EVENT_TIME]
      ,[SEVERITY]
      ,[AGENT_ID]
      ,[CATEGORY]
      ,[EVENT_SOURCE]
      ,[EVENT_DESC]
      ,[LOG_IDX]
  FROM [Antivirus_SEM5].[dbo].[AGENT_SYSTEM_LOG_2]
  WHERE [EVENT_SOURCE] = 'SYLINK'
ORDER BY [HOST_NAME], [HARDWARE_KEY]

Original post here.

HI,

Any update on this ?